1. Field of the Invention
The present invention generally relates to a method and system for configuring a valid duration period for a digital certificate. More particularly, the present invention relates to a method and system for automating the advanced configuration of the valid duration period of the digital certificate on a certificate server.
2. Description of the Related Art
Banking, financial services, government, education, and all varieties of companies rely upon advanced computer systems and data communication networks such as the Internet. While such advancements have greatly increased the speed and convenience with which business is conducted, numerous vulnerabilities compromise the security of the highly sensitive and confidential data being exchanged. At the most basic level, electronic transactions typically involve a server computer system and a client computer system communicating over a network. Additional client or server computer systems may also be connected to the network, such that multiple clients may access a given server, or multiple servers may be accessed by a given client. In this open network environment, the primary concern of data security is three-fold. First, the server must be assured that the client is what it asserts it is. Second, the client must be assured that the server is what it asserts it is. Third, any information being exchanged between a legitimate server and a legitimate client must not be intercepted or changed by any other computer systems on the network.
In the electronic banking setting, for example, the bank must authenticate the identity of the user accessing the banking server, so that transactions relating only to a particular customer are permitted, and that the user accessing the banking server is verified as the customer or someone given authority by the customer. The client must be ensured that the banking server is, indeed, the server operated by the bank, and not a similar one operated by a malicious entity. This is known as a phishing attack, where a fake server is made to resemble the legitimate server, and tricks the user into providing confidential information such as bank account numbers, social security numbers, passwords, and the like. Much harm may be inflicted on the customer by a criminal possessing such information, including erroneous accumulation of debt, arrest records, criminal convictions, destruction of creditworthiness, damage to reputation, and so forth. These are also known as identity theft crimes. Because confidential information is being transmitted over an open network, such information must be encrypted or otherwise rendered incomprehensible to any other system besides the client and the server. The open nature of the network renders computer systems susceptible to replay attacks, where a valid data transmission is intercepted and repeated later for fraudulent or malicious purposes. For example, passwords or other authentication information may be intercepted, and used later to gain access to sensitive information. Further, the information being transmitted on the network must not be modifiable, such as in the case of man-in-the-middle attacks. This involves an attacker reading, inserting and modifying data between a legitimate client and server with neither recognizing the compromised nature of the link.
Generally, these security considerations are of primary importance in all networking environments where sensitive and/or confidential data is being exchanged. Without proper safeguards that prevent the above-described attacks, the security of the organization's data as well as the organization's customers' or clients' data may be compromised, leading to even greater losses than that affecting just one individual.
A proven method to authenticate across the Internet in a manner that ensures the validity of the end user is to use public/private key pairs to digitally sign an authentication request. In this scenario an authentication server sends a message to a client with an expectation that the client will validate its identity by signing the message with the user's private key. Most often this message is a digitally hashed message, utilizing some common hashing mechanism such as MD2, MD4, MD5, SHA1 or some other hash algorithm. The client runs the hash and then signs this hash with the user's private key and returns this digitally signed message to the server. The server, utilizing the same hashing algorithm, then digitally hashes the same message and stores this value, for comparison later, this hash value is called the “Current Hash Value.” The server then takes the digitally signed signature from the client and decrypts this hash value with the user's public key. The server then compares this decrypted digital signature with the Current Hash-Value, if the two are not identical, the digital signature is invalid and the verification is unsuccessful.
Digital certificates have been employed in the context of digital message signing and authentication on the Internet. This mechanism requires a trusted third party or “certificate authority” (CA) responsible for checking each purported owner's claim to the published public key, i.e., requiring some proof of identification of persons publishing and posting public keys for purposes of encryption on the Internet. The certification authority then adds its digital signature to the public key and this, in effect, validates the public key. Compatibility, therefore, is necessary for wide spread and effective use of such digital certificates. Digital certificates issued by different CA's must be compatible in a context of encryption and decryption on a global communications network, i.e., the Internet. Software used to check and certify public keys must reference some standard protocol to be universally effective. One standard form for digital certificates is commonly referred to as the “X.509” standard. This standard was originally part of a “X.500” series of standards, but has been extended to embrace a wide variety of Internet services such as E-mail, worldwide web protocols, user authentication, and electronic commerce.
The client browser retrieves a digital certificate associated with the web server. The certificate, which contains the public key, is used by the browser to authenticate the identity of the web server or network resource, and to encrypt a session key transmitted back thereto for use in encrypting subsequent data. In order to ensure the legitimacy of the server certificate, it is signed by a CA.
Digital certificates are widely used for https web sites, where a web browser validates that an SSL (Transport Layer Security) web server is authentic. If the web server is authentic, the user knows that the website is exactly who it says it is and not an impostor. This type of security is very important with regard to electronic commerce over the Internet. Typically, the web site operator obtains a certificate by applying to a CA with a certificate signing request. The certificate signing request is an electronic document that may contain the website name, a contact email address, and company information. The CA signs the request producing a public certificate. The public certificate is delivered to the web browser that establishes a connection between the client device and the website. The certificate proves to the web browser that the CA trusted and issued a certificate to the owner of the website.
CA's are guarantors of the authenticity and security of online transactions. To accomplish this, the CA's issue digital certificates, or encrypted electronic packages carrying information that authenticates its sender. Certificates usually are issued for one year, although the duration can vary widely. Most CA's are wary of issuing a certificate for longer periods due to concern of long-term security in light of developing technology, the aversion to risk stemming from the trust of individual holders, and the desire to reap continued income from issuing new certificates. Currently, the duration of digital certificates are determined at the CA. Additionally, if the duration of the digital certificate is to be changed, it requires advanced skills in the cryptography field to configure the CA and the appropriate expiration fields in order to vary the duration period. This is a difficult process that many are unfamiliar with.
Accordingly, there is a need in the art for a method and system for a client device and a server to interact and configure a valid duration period for a digital certificate at the CA.